Disabled Customer Still Ordered

[Dirty Butter 727]

Based on the whole layout of the information, I assumed a recent unpaid order was not legitimate and cancelled it. I then disabled the customer, but did not delete it.

Today, the same person ordered and paid with PayPal for what appears to be a legitimate order.

I was surprised - I thought un-checking the Status entry on the Customers list would keep the customer from being able to login. They did change the delivery address for the order to a USA address. But the default delivery address is still to a country we do not do business with. We have refused orders from re-shippers before trying to send toys to Korea. South Korean businesses have a reputation for buying a toy, copying it, and selling in online stores as the genuine article. Our post master advised against sending toys to them.

Should the unchecked customer have been able to login again or is this a bug?

[havenswift-hosting 200]

Disabling the customer will stop them from logging in again but a possible explanation for this is that the customer never logged out and so still had an active session and so did not actually need to login again. There is a good argument that disabling a customer should automatically terminate any active sessions and many other systems have a way of terminating active login sessions manually as well.  Would be worthwhile adding this as a bug / feature request to github and reference this thread

[Al Brookbanks 199]

We can easily remove the session on disable. Probably worth doing. 

[Dirty Butter 727]

Good - this person is very upset with me LOL - I refunded payment, and they, in broken English and Korean signature, complained.

Edited September 26, 2019 by Dirty Butter

[Al Brookbanks 199]

I think this is a specific situation. I like the idea of deleting the session however I think this may be an Express Checkout specific bug. Investigating.....

[Dirty Butter 727]

I use Standard PayPal, not the Express.

[Al Brookbanks 199]

Hmm how did you manage this then!? Express logs in based on proven email ownership. Standard doesn't.

Do you know how to make this happen?

[Dirty Butter 727]

I'll see if I can figure out how to replicate this situation and get back to you.

[Dirty Butter 727]

I created a fake account. Logged out of Admin and logged back in. I then disabled the Account, but left Store FireFox browser tab still open. I then went to the store front tab and tried to open the account to make a purchase. I CORRECTLY received the Invalid User Name/Password. So I tried to make a new account using the same fake information. This time when I tried to continue with checkout I received the "Email address is already in use" warning, as expected.

Then I emptied Cache in Admin and tried the same thing again, but opening the store from the Chrome browser. Admin is open in FireFox with Store open only in Chrome. All error messages are as they should be.

SO I cannot reproduce it, unless you can tell me a different series of actions to try.

PS - just in case it is meaningful - I have tried Express sometime in the past - could there be some database config entry leftover that is confusing the situation?